Privacy Policy

# Privacy Policy for Sobreviva.App

**Last Updated:** July 7, 2024

## 1. Introduction

Welcome to Sobreviva.App ("we," "our," "us"). We are committed to protecting your privacy and handling your personal data in an open and transparent manner. This Privacy Policy explains how we collect, use, process, and safeguard your information when you use our application.

This policy is prepared in compliance with the General Data Protection Regulation (GDPR) and other relevant data protection laws.

## 2. Data Controller

Sobreviva.App is the data controller for your personal data. If you have any questions about this policy or our data protection practices, please contact us at [Your Contact Email, e.g., privacy@disasterpantry.com].

## 3. What Information We Collect

We collect and process the following types of personal and non-personal data:

**a) Information You Provide Directly:**
- **Account Information:** When you register, we collect your email address, a hashed version of your password, and optionally a display name and profile photo.
- **Pantry & Location Data:** All data you input regarding your inventory items (names, quantities, expiration dates), locations (names, addresses, coordinates), and family members (names, dietary information, medical notes) is stored in our database.
- **Sensitive Data:** We recognize that information such as addresses, GPS coordinates, and family medical notes is highly sensitive. We treat this data with the utmost care and secure it appropriately.

**b) Information from Third-Party Services:**
- **Google Authentication:** If you sign up using Google, we receive your name, email address, and profile picture URL as provided by Google.

**c) Information from AI Features:**
- **Photo Data:** When you use the "Add from Photo" feature, the images you upload are processed by our AI service provider (Google's Gemini models) to extract text. The images are stored in Firebase Storage, and the extracted text is saved as part of your pantry item data.
- **Pantry & Recipe Data for AI Analysis:** When you use the Pantry Analysis or Recipe Suggestion features, relevant data (pantry items, family dietary details) is sent to our AI service provider to generate a response. This data is not used to train the AI models.

**d) Usage and Diagnostic Data (Google Analytics 4):**
- We use **Google Analytics 4** (measurement ID `G-DBCHM3HESE`) to understand how the landing site and the application are used in aggregate, so we can improve them.
- GA receives: page paths visited, referrer, approximate region (anonymised IP — last octet truncated), device/browser type, your Firebase user ID (a pseudonymous identifier — never your email or name), your subscription tier (`free`/`premium`/`family` or `guest`), and your selected app language.
- We **never** send personal content to GA: no email, no display name, no addresses, no GPS coordinates, no inventory items, no family member details, no AI prompts or responses.
- We use **Google Consent Mode v2** with `analytics_storage` denied by default for visitors from the European Economic Area, the United Kingdom, and Switzerland. Storage is granted for signed-in users only after they accept the current Terms & Privacy versions on signup.
- Google Signals (cross-device tracking) is disabled. GA cookies are set only after consent.
- Unauthenticated visitors see a **cookie consent banner** at the bottom of the page on first visit. Choosing **Accept** updates `analytics_storage` to `granted` and persists the decision under the `pg_cookie_consent` key in browser local storage (`{decision, timestamp, version}`). Choosing **Reject** keeps `analytics_storage` denied; only the cookieless ping (page_path, screen size, anonymised region) is sent. Clearing the browser's local storage shows the banner again.

## 4. How We Use Your Information (Legal Basis for Processing)

We process your data for the following purposes and under these legal bases:

- **To Provide and Maintain Our Service (Performance of a Contract):** We use your account, pantry, location, and family data to provide the core functionality of the app.
- **To Improve and Personalize the App (Legitimate Interest):** We analyze aggregated, anonymized usage data to understand how our app is used and to improve its features and usability.
- **To Secure Your Data (Legal Obligation & Legitimate Interest):** We implement security measures to protect your data from unauthorized access.
- **AI Feature Functionality (Performance of a Contract):** We process your data through AI models solely to provide you with the features you request, such as item recognition and analysis.
- **To Communicate with You (Legitimate Interest):** We may use your email address to send you important service-related announcements or updates.

## 5. Data Sharing and Disclosure

We do not sell your personal data. We may share your data with the following third parties under strict data protection terms:

- **Firebase (Google):** Our backend infrastructure, including database, authentication, and storage, is provided by Google Firebase.
- **Google AI Platform:** Our AI features are powered by Google's Generative AI models. Data sent for processing is governed by Google's data privacy policies.
- **Google Analytics 4 (Google):** We use GA4 to measure aggregate usage of the landing site and application. See section 3(d) for what is sent and section 4 for the legal basis.

We will not share your data with any other third parties without your explicit consent, unless required by law.

## 6. Data Storage and Security

- **Storage Location:** Your data is stored on Google Firebase servers, which may be located in various regions. Google implements high-level security measures to protect this data.
- **Security Measures:** While we rely on Firebase's robust security, we also implement security rules to ensure that only you can access your personal data. Sensitive data like location addresses are protected and not publicly accessible.
- **Encryption:** Data is encrypted in transit (using HTTPS) and at rest on Firebase servers.

## 7. Your Data Protection Rights (GDPR)

As a user, you have the following rights regarding your personal data:

- **The right to access:** You can request copies of your personal data.
- **The right to rectification:** You can request that we correct any information you believe is inaccurate or incomplete.
- **The right to erasure:** You can request that we erase your personal data, under certain conditions.
- **The right to restrict processing:** You can request that we restrict the processing of your personal data, under certain conditions.
- **The right to object to processing:** You can object to our processing of your personal data, under certain conditions.
- **The right to data portability:** You can request that we transfer the data that we have collected to another organization, or directly to you, under certain conditions.

To exercise any of these rights, please contact us at our designated support email.

## 8. Data Retention

We retain your personal data for as long as your account is active. If you delete your account, your data will be permanently deleted from our primary databases within a reasonable timeframe, subject to our backup policies.

## 9. Changes to This Privacy Policy

We may update this Privacy Policy from time to time. We will notify you of any significant changes by posting the new policy on this page and, if applicable, through an in-app notification. You will be asked to review and accept the new policy if the changes materially affect your rights or our data processing practices.

## 10. Contact Us

If you have any questions or concerns about this Privacy Policy, please contact us.